This patch adds a new security attribute to Smack called

#define XATTR_SMACK_SUFFIX "SMACK64"

#define XATTR_SMACK_IPIN "SMACK64IPIN"

#define XATTR_SMACK_IPOUT "SMACK64IPOUT"

#define XATTR_SMACK_EXEC "SMACK64EXEC"

#define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX

#define XATTR_NAME_SMACKIPIN	XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN

#define XATTR_NAME_SMACKIPOUT	XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT

#define XATTR_NAME_SMACKEXEC	XATTR_SECURITY_PREFIX XATTR_SMACK_EXEC

#define XATTR_CAPS_SUFFIX "capability"

#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX

 */

struct inode_smack {

	char		*smk_inode;	/* label of the fso */

	char		*smk_task;	/* label of the task */

	struct mutex	smk_lock;	/* initialization lock */

	int		smk_flags;	/* smack inode flags */

};

struct task_smack {

	char		*smk_task;	/* label used for access control */

	char		*smk_forked;	/* label when forked */

};

#define	SMK_INODE_INSTANT	0x01	/* inode is instantiated */

/*

	return sip->smk_inode;

}

/*

 * Present a pointer to the smack label in an task blob.

 */

static inline char *smk_of_task(const struct task_smack *tsp)

{

	return tsp->smk_task;

}

/*

 * Present a pointer to the forked smack label in an task blob.

 */

static inline char *smk_of_forked(const struct task_smack *tsp)

{

	return tsp->smk_forked;

}

/*

 * Present a pointer to the smack label in the curren task blob.

 */

static inline char *smk_of_current(void)

{

	return smk_of_task(current_security());

}

/*

 * logging functions

 */

int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)

{

	int rc;

	char *sp = current_security();

	char *sp = smk_of_current();

	rc = smk_access(sp, obj_label, mode, NULL);

	if (rc == 0)

	 * only one that gets privilege and current does not

	 * have that label.

	 */

	if (smack_onlycap != NULL && smack_onlycap != current->cred->security)

	if (smack_onlycap != NULL && smack_onlycap != sp)

		goto out_audit;

	if (capable(CAP_MAC_OVERRIDE))

 * Returns a pointer to the master list entry for the Smack label

 * or NULL if there was no label to fetch.

 */

static char *smk_fetch(struct inode *ip, struct dentry *dp)

static char *smk_fetch(const char *name, struct inode *ip, struct dentry *dp)

{

	int rc;

	char in[SMK_LABELLEN];

	if (ip->i_op->getxattr == NULL)

		return NULL;

	rc = ip->i_op->getxattr(dp, XATTR_NAME_SMACK, in, SMK_LABELLEN);

	rc = ip->i_op->getxattr(dp, name, in, SMK_LABELLEN);

	if (rc < 0)

		return NULL;

	if (rc != 0)

		return rc;

	sp = current_security();

	tsp = task_security(ctp);

	sp = smk_of_current();

	tsp = smk_of_task(task_security(ctp));

	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);

	smk_ad_setfield_u_tsk(&ad, ctp);

	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);

	smk_ad_setfield_u_tsk(&ad, ptp);

	sp = current_security();

	tsp = task_security(ptp);

	sp = smk_of_current();

	tsp = smk_of_task(task_security(ptp));

	/* we won't log here, because rc can be overriden */

	rc = smk_access(tsp, sp, MAY_READWRITE, NULL);

	if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE))

static int smack_syslog(int typefrom_file)

{

	int rc = 0;

	char *sp = current_security();

	char *sp = smk_of_current();

	if (capable(CAP_MAC_OVERRIDE))

		return 0;

	return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);

}

/*

 * BPRM hooks

 */

static int smack_bprm_set_creds(struct linux_binprm *bprm)

{

	struct task_smack *tsp = bprm->cred->security;

	struct inode_smack *isp;

	struct dentry *dp;

	int rc;

	rc = cap_bprm_set_creds(bprm);

	if (rc != 0)

		return rc;

	if (bprm->cred_prepared)

		return 0;

	if (bprm->file == NULL || bprm->file->f_dentry == NULL)

		return 0;

	dp = bprm->file->f_dentry;

	if (dp->d_inode == NULL)

		return 0;

	isp = dp->d_inode->i_security;

	if (isp->smk_task != NULL)

		tsp->smk_task = isp->smk_task;

	return 0;

}

/*

 * Inode hooks

 */

 */

static int smack_inode_alloc_security(struct inode *inode)

{

	inode->i_security = new_inode_smack(current_security());

	inode->i_security = new_inode_smack(smk_of_current());

	if (inode->i_security == NULL)

		return -ENOMEM;

	return 0;

	if (strcmp(name, XATTR_NAME_SMACK) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {

	    strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {

		if (!capable(CAP_MAC_ADMIN))

			rc = -EPERM;

		/*

	char *nsp;

	/*

	 * Not SMACK

	 * Not SMACK or SMACKEXEC

	 */

	if (strcmp(name, XATTR_NAME_SMACK))

	if (strcmp(name, XATTR_NAME_SMACK) &&

	    strcmp(name, XATTR_NAME_SMACKEXEC))

		return;

	isp = dentry->d_inode->i_security;

	 * assignment.

	 */

	nsp = smk_import(value, size);

	if (strcmp(name, XATTR_NAME_SMACK) == 0) {

		if (nsp != NULL)

			isp->smk_inode = nsp;

		else

			isp->smk_inode = smack_known_invalid.smk_known;

	} else {

		if (nsp != NULL)

			isp->smk_task = nsp;

		else

			isp->smk_task = smack_known_invalid.smk_known;

	}

	return;

}

 */

static int smack_inode_removexattr(struct dentry *dentry, const char *name)

{

	struct inode_smack *isp;

	struct smk_audit_info ad;

	int rc = 0;

	if (strcmp(name, XATTR_NAME_SMACK) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {

	    strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {

		if (!capable(CAP_MAC_ADMIN))

			rc = -EPERM;

	} else

	if (rc == 0)

		rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);

	if (rc == 0) {

		isp = dentry->d_inode->i_security;

		isp->smk_task = NULL;

	}

	return rc;

}

 */

static int smack_file_alloc_security(struct file *file)

{

	file->f_security = current_security();

	file->f_security = smk_of_current();

	return 0;

}

 */

static int smack_file_set_fowner(struct file *file)

{

	file->f_security = current_security();

	file->f_security = smk_of_current();

	return 0;

}

{

	struct file *file;

	int rc;

	char *tsp = tsk->cred->security;

	char *tsp = smk_of_task(tsk->cred->security);

	struct smk_audit_info ad;

	/*

 */

static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)

{

	cred->security = NULL;

	cred->security = kzalloc(sizeof(struct task_smack), gfp);

	if (cred->security == NULL)

		return -ENOMEM;

	return 0;

}

 */

static void smack_cred_free(struct cred *cred)

{

	cred->security = NULL;

	kfree(cred->security);

}

/**

static int smack_cred_prepare(struct cred *new, const struct cred *old,

			      gfp_t gfp)

{

	new->security = old->security;

	struct task_smack *old_tsp = old->security;

	struct task_smack *new_tsp;

	new_tsp = kzalloc(sizeof(struct task_smack), gfp);

	if (new_tsp == NULL)

		return -ENOMEM;

	new_tsp->smk_task = old_tsp->smk_task;

	new_tsp->smk_forked = old_tsp->smk_task;

	new->security = new_tsp;

	return 0;

}

 */

static void smack_cred_transfer(struct cred *new, const struct cred *old)

{

	new->security = old->security;

	struct task_smack *old_tsp = old->security;

	struct task_smack *new_tsp = new->security;

	new_tsp->smk_task = old_tsp->smk_task;

	new_tsp->smk_forked = old_tsp->smk_task;

}

/**

 */

static int smack_kernel_act_as(struct cred *new, u32 secid)

{

	struct task_smack *new_tsp = new->security;

	char *smack = smack_from_secid(secid);

	if (smack == NULL)

		return -EINVAL;

	new->security = smack;

	new_tsp->smk_task = smack;

	return 0;

}

					struct inode *inode)

{

	struct inode_smack *isp = inode->i_security;

	struct task_smack *tsp = new->security;

	new->security = isp->smk_inode;

	tsp->smk_forked = isp->smk_inode;

	tsp->smk_task = isp->smk_inode;

	return 0;

}

	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);

	smk_ad_setfield_u_tsk(&ad, p);

	return smk_curacc(task_security(p), access, &ad);

	return smk_curacc(smk_of_task(task_security(p)), access, &ad);

}

/**

 */

static void smack_task_getsecid(struct task_struct *p, u32 *secid)

{

	*secid = smack_to_secid(task_security(p));

	*secid = smack_to_secid(smk_of_task(task_security(p)));

}

/**

	 * can write the receiver.

	 */

	if (secid == 0)

		return smk_curacc(task_security(p), MAY_WRITE, &ad);

		return smk_curacc(smk_of_task(task_security(p)), MAY_WRITE,

				  &ad);

	/*

	 * If the secid isn't 0 we're dealing with some USB IO

	 * specific behavior. This is not clean. For one thing

	 * we can't take privilege into account.

	 */

	return smk_access(smack_from_secid(secid), task_security(p),

			  MAY_WRITE, &ad);

	return smk_access(smack_from_secid(secid),

			  smk_of_task(task_security(p)), MAY_WRITE, &ad);

}

/**

static int smack_task_wait(struct task_struct *p)

{

	struct smk_audit_info ad;

	char *sp = current_security();

	char *tsp = task_security(p);

	char *sp = smk_of_current();

	char *tsp = smk_of_forked(task_security(p));

	int rc;

	/* we don't log here, we can be overriden */

	rc = smk_access(sp, tsp, MAY_WRITE, NULL);

	rc = smk_access(tsp, sp, MAY_WRITE, NULL);

	if (rc == 0)

		goto out_log;

 out_log:

	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);

	smk_ad_setfield_u_tsk(&ad, p);

	smack_log(sp, tsp, MAY_WRITE, rc, &ad);

	smack_log(tsp, sp, MAY_WRITE, rc, &ad);

	return rc;

}

static void smack_task_to_inode(struct task_struct *p, struct inode *inode)

{

	struct inode_smack *isp = inode->i_security;

	isp->smk_inode = task_security(p);

	isp->smk_inode = smk_of_task(task_security(p));

}

/*

 */

static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)

{

	char *csp = current_security();

	char *csp = smk_of_current();

	struct socket_smack *ssp;

	ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);

 */

static int smack_msg_msg_alloc_security(struct msg_msg *msg)

{

	msg->security = current_security();

	msg->security = smk_of_current();

	return 0;

}

{

	struct kern_ipc_perm *isp = &shp->shm_perm;

	isp->security = current_security();

	isp->security = smk_of_current();

	return 0;

}

{

	struct kern_ipc_perm *isp = &sma->sem_perm;

	isp->security = current_security();

	isp->security = smk_of_current();

	return 0;

}

{

	struct kern_ipc_perm *kisp = &msq->q_perm;

	kisp->security = current_security();

	kisp->security = smk_of_current();

	return 0;

}

	struct super_block *sbp;

	struct superblock_smack *sbsp;

	struct inode_smack *isp;

	char *csp = current_security();

	char *csp = smk_of_current();

	char *fetched;

	char *final;

	struct dentry *dp;

		 * Get the dentry for xattr.

		 */

		dp = dget(opt_dentry);

		fetched = smk_fetch(inode, dp);

		fetched = smk_fetch(XATTR_NAME_SMACK, inode, dp);

		if (fetched != NULL)

			final = fetched;

		isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode,

					  dp);

		dput(dp);

		break;

	}

	if (strcmp(name, "current") != 0)

		return -EINVAL;

	cp = kstrdup(task_security(p), GFP_KERNEL);

	cp = kstrdup(smk_of_task(task_security(p)), GFP_KERNEL);

	if (cp == NULL)

		return -ENOMEM;

static int smack_setprocattr(struct task_struct *p, char *name,

			     void *value, size_t size)

{

	struct task_smack *tsp;

	struct cred *new;

	char *newsmack;

	new = prepare_creds();

	if (new == NULL)

		return -ENOMEM;

	new->security = newsmack;

	tsp = kzalloc(sizeof(struct task_smack), GFP_KERNEL);

	if (tsp == NULL) {

		kfree(new);

		return -ENOMEM;

	}

	tsp->smk_task = newsmack;

	new->security = tsp;

	commit_creds(new);

	return size;

}

		return;

	ssp = sk->sk_security;

	ssp->smk_in = ssp->smk_out = current_security();

	ssp->smk_in = ssp->smk_out = smk_of_current();

	/* cssp->smk_packet is already set in smack_inet_csk_clone() */

}

static int smack_key_alloc(struct key *key, const struct cred *cred,

			   unsigned long flags)

{

	key->security = cred->security;

	key->security = smk_of_task(cred->security);

	return 0;

}

{

	struct key *keyp;

	struct smk_audit_info ad;

	char *tsp = smk_of_task(cred->security);

	keyp = key_ref_to_ptr(key_ref);

	if (keyp == NULL)

	/*

	 * This should not occur

	 */

	if (cred->security == NULL)

	if (tsp == NULL)

		return -EACCES;

#ifdef CONFIG_AUDIT

	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);

	ad.a.u.key_struct.key = keyp->serial;

	ad.a.u.key_struct.key_desc = keyp->description;

#endif

	return smk_access(cred->security, keyp->security,

	return smk_access(tsp, keyp->security,

				 MAY_READWRITE, &ad);

}

#endif /* CONFIG_KEYS */

	.sb_mount = 			smack_sb_mount,

	.sb_umount = 			smack_sb_umount,

	.bprm_set_creds =		smack_bprm_set_creds,

	.inode_alloc_security = 	smack_inode_alloc_security,

	.inode_free_security = 		smack_inode_free_security,

	.inode_init_security = 		smack_inode_init_security,

static __init int smack_init(void)

{

	struct cred *cred;

	struct task_smack *tsp;

	if (!security_module_enable(&smack_ops))

	tsp = kzalloc(sizeof(struct task_smack), GFP_KERNEL);

	if (tsp == NULL)

		return -ENOMEM;

	if (!security_module_enable(&smack_ops)) {

		kfree(tsp);

		return 0;

	}

	printk(KERN_INFO "Smack:  Initializing.\n");

	 * Set the security state for the initial task.

	 */

	cred = (struct cred *) current->cred;

	cred->security = &smack_known_floor.smk_known;

	tsp->smk_forked = smack_known_floor.smk_known;

	tsp->smk_task = smack_known_floor.smk_known;

	cred->security = tsp;

	/* initialize the smack_know_list */

	init_smack_know_list();

{

	nap->loginuid = audit_get_loginuid(current);

	nap->sessionid = audit_get_sessionid(current);

	nap->secid = smack_to_secid(current_security());

	nap->secid = smack_to_secid(smk_of_current());

}

/*

				 size_t count, loff_t *ppos)

{

	char in[SMK_LABELLEN];

	char *sp = current->cred->security;